#Error creating role: calling security/roles: got {'message: 'URI does not exist.', 'code': 5636170)

Hello,
Getting URI does not exist error when trying to create a role on NAS cluster, I'm able to communicate with NAS cluster and it gives me node info , svm info without any issues (to test connectivity).

env:
ansible - 2.10.3
netapp.ontap - 22.3.0
netapp-lib - 2021.6.25
requests - 2.27.1

module is : na_ontap_user_role

Any inputs is greatly appreciated.

please share the playbook task and the playbook error response.

It could be error returned by ONTAP, we can confirm it by creating the user role in ONTAP cli

Hello Mohan Raj - thanks for the reply, Issue has been resolved. Seems like netapp.ontap>=22.0.0 is not liking module na_ontap_user_role as this module calls API via ZAPI and netapp.ontap supports only REST, once I downgraded my netapp.ontap to 21.3.1 its working as expected

it should work on latest version too, can you share the playbook task thats causing the issue?

• name: Create User Role Zapi
  na_ontap_user_role:
  state: present
  name: "{{ item.role_name }}"
  command_directory_name: "{{ item.role_cmd }}"
  access_level: "{{ item.role_access }}"
  query: show
  vserver: "{{ array }}"
  hostname: "{{ array }}"
  username: "{{ username }}"
  password: "{{ current_password }}"
  https: true
  validate_certs: false
  with_items: "{{ role_create }}"

whats actually the item.role_cmd that causes the error?

also item.role_access ?
-vvv to playbook run will get more info on error

role_cmd: DEFAULT
or sometimes
role_cmd: vserver vscan

yeah ran with extra verbose and its giving subject error message no other details

role_access: readonly

That is the exact same issue I ran into. To me it looks like the module doesn't handle correctly when issuing the "old" style role format via REST API. If you use the REST style example it works, but will only create a rest-role.

- name: Modify user role REST netapp.ontap.na_ontap_user_role: state: present privileges: - path: /api/cluster/jobs access: readonly - path: /api/storage/volumes access: readonly vserver: ansibleSVM name: carchi-test-role

I've got a similar query to this.. Can we get more examples of using ontap_user_role? Specifically, I'd like some examples which show how to use privileges and query, which is a new option. I assume we can use query to apply more granular API level access, but I'm not sure how this is actually formatted or used.

@quiet kayak since use_rest not specified in this task, module will attempt to use REST, you will get below error if you are using 9.10 or earlier versions as itdoes not support legacy roles.
Specified URI path is invalid or not supported. Verify that the URI contains only valid characters. Variable-path URIs are not supported

if you want to create a legacy role with command/command directory for ONTAP 9.10 or earlier version, explicitly set use_rest: never

ONTA 9.11.1 or later allows create/modify/delete both legay and REST roles.

the error is coming from ONTAP.

look for DOC security/roles
9.10.1 REST reference - https://library.netapp.com/ecmdocs/ECMLP2879871/html/

9.11.1 REST reference - https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.html

above documentation has more details on roles, 9.11.1 has support for both legacy and REST api roles.

na_ontap_user_role module requires an update in documentation on using legacy and REST roles.

also restrict using legacy roles for ONTAP 9.11 earlier versions in REST.

ONTAP 9.11.1 or later works good for both legacy and REST API roles when using REST API, may be we can restrict legacy roles on ONTAP earlier versions in REST, will update on it.

@plain hornet Can you give an example using na_ontap_user_role how to create a role which has specific API restrictions, such as only being able to access /api/storage/volumes but only perform specific actions such as modify max-files?

currently module support only none, readonly and all for privileges.access and access_level, but I think we cannot restrict to modify only specific option in REST API role.

REST doc has this addtional access level -[ none, readonly, read_create, read_modify, read_create_modify, all ], we can add this if supports.

Yes, I would like support for "read_create, read_modify, read_create_modify" if possible. I'm still confused how the query parameter is used, not sure if you're able to comment on this

I think it would be really helpful if you could change the module behaviour for older ONTAP versions. My situation was: update collection to 22.x -> playbook broken. ☹️

use_rest: never should work for ONTAP 9.10.1 or earlier versions for using legacy commands.

tracked with DEVOPS-5926, since legacy role not supported in REST for 9.10.1 or earlier versions, we can restrict user not to set legacy commands in REST for older versions.

Hello @plain hornet - I set use_rest to auto and its automatically failing back to ZAPI to create the role and role is getting created successfully without any issues if the netapp-lib version is 2020.7.16

what is the ONTAP version?
REST supports from 9.7
when use_rest: auto set, module will fall back to zapi for 9.6

we are running 9.10

with use_rest: auto is set, module attempts to use REST, if there is any error, it fall backs to zapi.

any error when use_rest: always set?